back to home
privacy policy
Last Updated: August 22, 2025
Version: 1.0
Effective Date: August 22, 2025
This Privacy Policy ("Policy") describes how Julien Pinto, doing business as Spill ("Company," "we," "us," or "our"), collects, uses, discloses and safeguards information when you use the Spill mobile application and any related services (collectively, the "App").
By accessing or using the App, you agree to the practices described in this Policy. If you do not agree, please do not use the App.
π‘οΈ Our Privacy Principles
Privacy by Design: We collect only the minimum data necessary to provide our services
Transparency: We clearly explain what data we collect and why
User Control: You have full control over your content and privacy settings
Security First: Your videos and personal data are encrypted and protected
No Ads: We do not sell your personal information or use it for advertising
1.1 Information You Provide
Account Information
Examples: Email address via Apple Sign-In, display name, optional profile photo
Purpose: Create and maintain your account, authentication
Legal Basis: Contract performance (GDPR Art. 6(1)(b))
Content Data
Examples: Videos ("Spills"), captions, comments, reactions
Purpose: Provide core video journaling and sharing features
Legal Basis: Contract performance (GDPR Art. 6(1)(b))
Communication Data
Examples: Messages to support, feedback
Purpose: Respond to support requests, improve services
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))
Subscription Data
Examples: Subscription status, purchase history (via RevenueCat)
Purpose: Process payments, manage subscriptions
Legal Basis: Contract performance (GDPR Art. 6(1)(b))
1.2 Information Collected Automatically
Usage Analytics
Examples: Screens viewed, features used, session duration (via Firebase Analytics)
Purpose: Improve app performance, understand feature engagement
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))
Technical Data
Examples: Device model, iOS version, app version, crash logs
Purpose: Debug issues, ensure compatibility
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))
Security Data
Examples: Authentication tokens, device identifiers
Purpose: Maintain session security, prevent fraud
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f))
1.3 Information from Third Parties
We may receive information from:
Apple: Email address, name (via Sign In with Apple)
App Store: Purchase verification data
Firebase: Analytics and crash reporting data
2.1 Primary Purposes
π₯ Provide Core Services
Host, sync and stream your Spills
Enable private journaling and friend sharing
Process in-app purchases and manage subscriptions
π§ Improve & Maintain Services
Analyze usage patterns to improve features (aggregated data only)
Debug crashes and performance issues
Ensure app security and prevent fraud
π Communication
Send essential service notifications (security alerts, feature updates)
Respond to support inquiries
Process feedback and feature requests
βοΈ Legal Compliance
Comply with applicable laws and regulations
Respond to valid legal requests
Enforce our Terms of Service
2.2 We Do NOT Use Your Data For
β Advertising or marketing to third parties
β Selling or renting personal information
β Cross-app tracking or profiling
β Analyzing video content without explicit consent
3.1 Limited Sharing Scenarios
Friends You Invite
What We Share: Spills you explicitly share, associated reactions/comments
Why: Deliver core social features
Safeguards: User-controlled sharing settings
Service Providers
What We Share: Encrypted data necessary for service provision
Why: Cloud hosting, payments, analytics
Safeguards: Data processing agreements, encryption
Legal Authorities
What We Share: Data required by valid legal process
Why: Comply with legal obligations
Safeguards: Challenge overbroad requests, minimal disclosure
Business Transactions
What We Share: Account data in case of merger/acquisition
Why: Business continuity
Safeguards: User notification, data protection commitments
3.2 Service Providers
Supabase
Service: Database & file storage
Data Shared: Encrypted Spills, account data
Location: US/EU (user region)
Safeguards: SOC 2 certified, encryption at rest
RevenueCat
Service: Subscription management
Data Shared: User ID, subscription status, purchase data
Location: United States
Privacy Policy: https://www.revenuecat.com/privacy
Firebase
Service: Analytics & notifications
Data Shared: Pseudonymous usage data, device tokens
Location: United States
Privacy Policy: https://policies.google.com/privacy
Cloudflare
Service: Content delivery
Data Shared: IP address, cached video data
Location: Global CDN
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Apple
Service: Authentication & payments
Data Shared: Sign-in data, purchase receipts
Location: United States
Privacy Policy: https://www.apple.com/privacy/
β οΈ Important: All service providers are bound by data processing agreements and must use your data solely to provide services to us.
4.1 Content Control
Privacy Settings: Choose whether Spills are private or shared with friends
Delete Content: Remove individual Spills or comments at any time
Friend Management: Add or remove friends from your sharing circles
Account Deletion: Delete your entire account and all associated data
4.2 Data Protection Rights
πͺπΊ EU/EEA/UK Residents (GDPR Rights)
Access: Request a copy of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your personal data ("right to be forgotten")
Portability: Receive your data in a machine-readable format
Restriction: Limit how we process your data
Objection: Object to processing based on legitimate interests
Withdraw Consent: Revoke consent for any consent-based processing
πΊπΈ US Residents (State Privacy Laws)
California (CCPA/CPRA): Right to know, delete, correct, and opt-out of sale (we don't sell data)
Virginia (VCDPA): Access, correction, deletion, and portability rights
Colorado (CPA): Similar rights to Virginia residents
π Other Jurisdictions We comply with applicable data protection laws in your jurisdiction. Contact us for specific rights information.
4.3 How to Exercise Your Rights
In-App: Use privacy settings in the app for most requests
Email: Contact hello@joinspill.com for complex requests
Response Time: We respond within 30 days (or as required by local law)
Verification: We may request identity verification to protect your privacy
4.4 Marketing & Communications
No Marketing: We don't send marketing emails by default
Service Notifications: Essential notifications can't be disabled but are minimal
Push Notifications: Manage in your device settings
5.1 Retention Periods
Spills & Account Data
Retention Period: Until you delete the Spill/account
Rationale: User control, service provision
Deleted Data Backups
Retention Period: Maximum 30 days after deletion
Rationale: Technical necessity, disaster recovery
Analytics Data
Retention Period: 26 months, then aggregated/anonymized
Rationale: Service improvement, compliance
Support Communications
Retention Period: 3 years after last interaction
Rationale: Customer service, dispute resolution
Financial Records
Retention Period: 7 years
Rationale: Tax obligations, financial regulations
5.2 Automated Deletion-
Inactive Accounts: After 3 years of inactivity, we'll email you before deletion
Temporary Data: Crash logs and error reports deleted after 90 days
Cache Data: Video cache cleared based on device storage needs
6.1 Technical Safeguards
π Encryption in Transit: TLS 1.3 for all data transmission
π Encryption at Rest: AES-256 encryption for stored data
π Access Controls: Role-based access with multi-factor authentication
π Security Monitoring: Continuous monitoring for threats and breaches
π‘οΈ Regular Audits: Annual security assessments and penetration testing
6.2 Organizational Measures
Staff Training: Regular privacy and security training
Data Minimization: Collect only necessary data
Incident Response: 72-hour breach notification procedures (GDPR compliant)
Vendor Management: Due diligence on all service providers
6.3 Your Security Responsibilities
Keep your device and Apple ID secure
Report suspected unauthorized access immediately
Use strong device passcodes/biometric locks
Don't share account credentials
7.1 Transfer Mechanisms
Your data may be processed in countries outside your residence, including the United States. We ensure adequate protection through:
πͺπΊ EU Standard Contractual Clauses (SCCs): For EU data transfers
ποΈ Adequacy Decisions: Where available (e.g., EU-US Data Privacy Framework)
π Additional Safeguards: Encryption, access controls, audit rights
7.2 Data Localization
EU Users: Where possible, data is processed within the EU
US Users: Primary processing in the United States
Other Regions: Processed in nearest secure data center
7.3 Legal Basis for Transfers
Necessary for contract performance (providing Spill services)
Legitimate interests (service improvement, security)
Your explicit consent (where required)
8.1 Age Requirements
πΊπΈ United States: Minimum age 13 with parental consent
πͺπΊ EU/EEA: Minimum age 16 (or lower as set by member state, but not below 13)
π¬π§ United Kingdom: Minimum age 13 with parental consent
π Other Countries: As required by local law
8.2 Parental Controls
If we learn we've collected data from a child without proper consent:
We'll delete the account and all associated data within 24 hours
We'll notify the child (if possible) and request they seek parental permission
Parents can contact us to review, modify, or delete their child's information
8.3 Special Protections for Minors
Enhanced privacy settings by default
Limited data collection and sharing
No behavioral advertising or profiling
Priority customer support for safety concerns
Spill is designed for personal expression and social connection. It is NOT a substitute for professional mental health care, therapy, or crisis intervention.
If you are experiencing:
Suicidal thoughts or self-harm ideation
Severe depression, anxiety, or mental health crisis
Thoughts of harming others
Substance abuse or addiction issues
Please seek immediate professional help:
πΊπΈ United States
Crisis Hotline: 988 (Suicide & Crisis Lifeline)
Text/Chat: Text "HELLO" to 741741
π«π· France
Crisis Hotline: 3114 (National suicide prevention)
Text/Chat: sos-amitie.com
π¬π§ United Kingdom
Crisis Hotline: 116 123 (Samaritans)
Text/Chat: samaritans.org
π©πͺ Germany
Crisis Hotline: 0800 111 0 111 (Telefonseelsorge)
Text/Chat: telefonseelsorge.de
π International
Crisis Resources: findahelpline.com
Support Network: befrienders.org
AI Features Disclaimer
Any AI-powered features (if available) are for entertainment and reflection purposes only. They do not provide medical, psychological, or therapeutic advice.
10.1 GDPR Representative (EU/EEA/UK)
EU Representative: Spill
UK Representative: Spill
10.2 Complaints & Regulatory Contacts
EU: Contact your local Data Protection Authority
UK: Information Commissioner's Office (ico.org.uk)
US: Contact us directly at hello@joinspill.com
11.1 Notification Process
Material Changes: 30-day advance notice via email and in-app notification
Minor Updates: Notice in app and on website
Emergency Changes: Immediate notice if required for legal/security reasons
11.2 Continued Use
Your continued use of Spill after changes take effect constitutes acceptance of the updated Policy.
12.1 Privacy Inquiries
Email: hello@joinspill.com
Subject Line: "Privacy Policy Question"
Response Time: Within 5 business days
12.2 Data Protection Officer
For GDPR-related inquiries: hello@joinspill.com
12.3 Emergency Contact
For urgent security or safety concerns: hello@joinspill.com